Valve DNS privacy flap exposes the murky world of cheat prevention

Company denies any breach of privacy, as angry gamers cry foul.

Like most online game makers, Valve uses a cheat detection system to protect popular multiplayer games like Counter-Strike: Global Offensive, Team Fortress 2, and Dota 2 from hacks that would give a player an unfair advantage. That Valve Anti-Cheat (VAC) system was at the center of a potential privacy bombshell earlier today, with accusations that the system was sending Valve a list of all the domains that a system has visited whenever a protected game was played.

The claim rose to popularity thanks to a Reddit post that included an image originating from a cheating/hacking forum, purportedly showing a partial decompilation of the offending VAC module. However, while the initial evidence suggested that VAC is doing something with users' DNS history, it wasn't clear from the decompiled code provided that it is, in fact, transmitting the information back to Valve. Valve CEO Gabe Newell has subsequently and categorically denied that the module transmits any private information back to the company.

Windows operates a DNS cache to accelerate the translation from domain names into IP addresses. Windows users can see the domains stored within the cache, both at the command-line (ipconfig /displaydns) and within the GUI. The partial decompilation of VAC shows that the module is using undocumented Windows functions to enumerate all the cached entries. In turn, each entry is converted to lower case and then hashed using MD5.

Contrary to the original claims, though, the module doesn't immediately appear to actually send the information to Valve. Each MD5 hash is compared to a bunch of other values (the image of the decompilation doesn't include the actual values it's being compared to), and if any of these comparisons are successful, the hash is stored; otherwise, it's discarded. What happens to these stored values is also not shown in the code provided.

In spite of the lack of clarity or convincing evidence of the true nature of this VAC check, Reddit immediately blew up with speculation earlier today, with some suggesting that the entire set of hashes is sent to Valve, others suggesting that instead the module is doing a client-side check. Many seemed willing to assume the worst; some posters said that the company had "pulled an [Electronic Arts]," alluding to EA's poor reputation among many gamers.

In light of the controversy, Valve's CEO Gabe Newell stepped in this evening with a Reddit response to put people's minds at ease. The nature of anti-cheating systems makes open public discussion of systems like VAC something of a rarity; in an arms race against the cheaters, obfuscation and secrecy remain important weapons. Nonetheless, Newell was remarkably straightforward in explaining why VAC is so interested in the system DNS cache.

According to Newell, cheat software has its own DRM systems so that the developers can ensure that people pay for their cheats. If the VAC module detects certain cheats, it then checks to see if the system has performed lookups for the relevant cheat DRM servers. If it has, then (and only then) is the data sent to Valve so a ban can be issued. The module doesn't disclose the contents of the DNS cache, and Valve has no interest, in general, in which domains gamers' systems have looked up.

With this explanation, it's likely that the fuss will blow over soon enough. Still, today's brouhaha shows the vulnerable position Valve is in. Due to the techniques used by the cheat developers, it's common for anti-cheat software to use some fairly underhanded techniques itself; VAC, for example, uses obfuscated code and undocumented API functions to go about its business. Anyone wanting to cast Valve in a bad light, or even simply raise suspicion about (otherwise desirable) anti-cheat software, need only make this same kind of partial, incomplete disclosure, and fear mongering will do the rest.

According to Newell, cheat software has its own DRM systems, so that the developers can ensure that people pay for their cheats. If the VAC module detects certain cheats, it then checks to see if the system has performed lookups for the relevant cheat DRM servers. If it has, then (and only then) is the data sent to Valve, so a ban can be issued.

And now every cheat system will flush the DNS cache every time it needs to do a lookup.

The amount of misinformed articles I've seen around this is staggering. People thinking they simply visiting a cheat site == ban, or people thinking Valve is wholesale harvesting your info.

It's fucking hilarious, not to mention that the DNS cache checking ONLY occurs if VAC has already detected a cheat (as per what Gabe said). So literally only the cheaters will have their single DNS cache item checked.

I thought perhaps Blizzard did something like this as well with Warden, but it turns out from what the Internet knows, they do not (http://en.wikipedia.org/wiki/Warden_%28software%29). Gathering that sort of PII is pretty ballsy, but if it's just checked against a blacklist rather than stored, then it's likely a big hoopla about nothing.

According to Newell, cheat software has its own DRM systems, so that the developers can ensure that people pay for their cheats. If the VAC module detects certain cheats, it then checks to see if the system has performed lookups for the relevant cheat DRM servers. If it has, then (and only then) is the data sent to Valve, so a ban can be issued.

And now every cheat system will flush the DNS cache every time it needs to do a lookup.

Gabe addressed this in his Reddit post:

Quote:

Cheat versus trust is an ongoing cat-and-mouse game. New cheats are created all the time, detected, banned, and tweaked. This specific VAC test for this specific round of cheats was effective for 13 days, which is fairly typical. It is now no longer active as the cheat providers have worked around it by manipulating the DNS cache of their customers' client machines.

Valve CEO Gabe Newell has subsequently and categorically denied that the module transmits any private information back to the company.

The problem with statements like that is Gabe Newel might have a very different definition of "private information" than someone like me. It is transmitting information back and I might consider that information to be private.

Unless he outlines everything that is actually being sent, I'm not prepared to take his word for it.

No it is not reasonable. A game (or part thereof) has no reason to go about gathering information about my activities to find out whether I'm cheating.It infuriates me that companies think its OK to go about my personal information just to verify I'm not cheating (specially since I do not cheat). Most of the cheating that goes on could be detected with server side simulation and by gathering statistics (weapons firing above their programmed accuracy, players moving faster than possible, etc.), but that requires resources and costs money. So instead of designing a properly hardened game server they just engage in a pointless arms race with cheaters and trample legitimate users' privacy.

IIRC this is what max payne 3 did; anyone with outlier statistics got shunted into "cheater" servers where everyone was cheating.

Yeah. I have a really cool idea for a mod to iRacing that I just learned cannot be implemented... because the data my idea requires could also be used to cheat in the game.

The data is available and there's a fully public API for mods like the one I want to make, but specific parts of the data can only be accessed several minutes later instead of in real time. Such a shame. :-(

Kudos to Valve for getting in front of the issue, instead of ducking it like most companies do.

While I get ornery about DRM on movies, music and most games, I would expect at least some measures for anti-cheating to be implemented in multiplayer games.

Would you play your favorite multiplayer games if even some of the people in any given session could use cheating mods? Most customers encountering rampant cheating in a multiplayer-heavy game would demand their money back, because they were sold a gaming experience that had been compromised by cheaters.

No, I wouldn't want valve recording my web browsing history, but if they were doing that I would think it would be in their TOS. (yea, I know nobody reads those things.)

Cheat versus trust is an ongoing cat-and-mouse game. New cheats are created all the time, detected, banned, and tweaked. This specific VAC test for this specific round of cheats was effective for 13 days, which is fairly typical. It is now no longer active as the cheat providers have worked around it by manipulating the DNS cache of their customers' client machines.

A beautiful statement on the gamer mentality. They get their panties in a bunch when the game designer tries to protect them from cheaters, but will pay an anonymous party to f**k with their system without telling them.

Most of the cheating that goes on could be detected with server side simulation and by gathering statistics (weapons firing above their programmed accuracy, players moving faster than possible, etc.), but that requires resources and costs money. So instead of designing a properly hardened game server they just engage in a pointless arms race with cheaters and trample legitimate users' privacy.

Pff, you think Valve doesn't have the resources and money for something that ridiculously trivial?

If it was that easy, cheap, and effective, they'd have done that years ago, and cheating would be impossible forever.

Most of the cheating that goes on could be detected with server side simulation and by gathering statistics (weapons firing above their programmed accuracy, players moving faster than possible, etc.), but that requires resources and costs money.

That's actually not what cheats do in Counterstrike (I can't speak for other Valve games). The two main types, aim hacks and wall hacks wouldn't actually be able to be simulated on the server based on my understanding of them

In the case of aim hacks, because the guns in that game will always fire in the same spot if the conditions are the same (#of bullets fired in that burst, movement), those cheats simply put the users gun in the perfect spot when they fire. You definitely wouldn't be able to tell from a simulation whether a shot was a legitimate, as the guns all have a learn-able recoil pattern and the game is played at a ridiculously high level by professional gamers.

The others are wall hacks, and simply show where your opponents are through walls. This might be seem a little easier to simulate, but it would still be very problematic as the games are played in a defender/attacker style, with several places for people to optimally ambush or defend from. Due to those places being "better", competitive players quickly learn to check those spots or to preemptively throw flashbangs or smoke grenades their.

TL;DR - People are mad good at this game, to the point that to it can be difficult to tell the difference between a competent player and a cheater.

Cheat versus trust is an ongoing cat-and-mouse game. New cheats are created all the time, detected, banned, and tweaked. This specific VAC test for this specific round of cheats was effective for 13 days, which is fairly typical. It is now no longer active as the cheat providers have worked around it by manipulating the DNS cache of their customers' client machines.

I know about the cat-and-mouse for malware and virus scanners, but I had no idea that the cat-and-mouse between cheaters and anti-cheat tools was that heated.

You figure out an entirely new way to detect cheats, it works for half a month at most, and then they've figured out what your heavily-obfuscated code is doing and it no longer works. And that method was used "for this specific round of cheats," likely meaning that several of these new approaches have to be developed and run in parallel.

The ongoing expense of that effort could be enormous, given that it depends so heavily on a team that can continue to come up with effective ways to detect and counter cheats.

...Most of the cheating that goes on could be detected with server side simulation and by gathering statistics (weapons firing above their programmed accuracy, players moving faster than possible, etc.), ....

Those are some pretty crappy cheats. Any decent cheat would play by the rules, but be very good. There is NO server side way to tell this from a good player having a good day.

TL;DR - People are mad good at this game, to the point that to it can be difficult to tell the difference between a competent player and a cheater.

Those types of hacks actually do not bother me as they do not ruin a game. They just increase the number of competent (or seemingly competent) players.Note that if a game is not approachable to beginners because there is no way a beginner can compete (and improve) at an enjoyable level it will stagnate. The cheats that bother me are those that place the cheater in the impossible spectrum.

They may not bother you, but they're a big problem for any game that wants to be an eSport.

TL;DR - People are mad good at this game, to the point that to it can be difficult to tell the difference between a competent player and a cheater.

Those types of hacks actually do not bother me as they do not ruin a game. They just increase the number of competent (or seemingly competent) players.Note that if a game is not approachable to beginners because there is no way a beginner can compete (and improve) at an enjoyable level it will stagnate. The cheats that bother me are those that place the cheater in the impossible spectrum.

Okay, I'm going out on a limb here, but I doubt that you play many FPS, 'seriously', so I'm going to list why I have an issue with the things you said here, so others who don't play FPS can understand why cheaters are a huge problem.

- Cheats are not automatic "Competency Boosts". They make you more accurate, or they give you additional information. They do not allow you to make smart weapon purchases (cash for weapons/items are given based on your previous rounds performance), communicate and coordinate effectively, play from intelligent positions, give you situational awareness or any other number of things that are required to be successful in this game.

-There are different skill divisions in the game, that prevent excellent players from being qued with people who are new to the game.

-Playing a game at a fair to a very slightly tipped level of competition is what causes a player to improve. You can learn a new boost spot, or a new position to use play from when the game is fair. Seeing a jerk 360 jumping headshot you with a deagle through a door just makes you want to quit.

-If a player knows what they're doing, cheats do "place the cheater in the impossible spectrum."

-Those cheats completely, and totally ruin any highly competitive game like Counterstrike. Imagine if spitballs were still allowed in baseball - sure, it's not like there's a batting cage that descends over an opposing player as they step up to the bat, but it's definetly an action that's designed to make a pitcher better than they truly are, while making the batter play worse than they actually are. It also completely goes against the spirit of the game, can make a match almost impossible to win, and sucks any sort of fun you can have (even if you're somehow winning!) from the game.

Cheat versus trust is an ongoing cat-and-mouse game. New cheats are created all the time, detected, banned, and tweaked. This specific VAC test for this specific round of cheats was effective for 13 days, which is fairly typical. It is now no longer active as the cheat providers have worked around it by manipulating the DNS cache of their customers' client machines.

A beautiful statement on the gamer mentality. They get their panties in a bunch when the game designer tries to protect them from cheaters, but will pay an anonymous party to f**k with their system without telling them.

Logical failure. This assumes that the people with concerns about VAC are the same people buying cheats.

I will admit I sometimes cheat... Now hold your bullets! I am a solo player and think there is no way to make Orange and Transvaal succeed in Victoria unless you manually mod a few province strings.

Ahhh....It's the old "Kobayashi Maru" doge eh??? You will of course be called to appear before a disciplinary tribunal!

I kid, I kid ... you're probably in the clear on this one, & your disciplinary hearing will be interrupted anyway! What I'm half expecting is a Snowden-sourced power point published on Polygon which implicates the NSA in manipulating game mechanics as part of their search for the infamous gaming terrorist Leroy Jenkins!

[TL;DR - People are mad good at this game, to the point that to it can be difficult to tell the difference between a competent player and a cheater.

I was going to point out that given a statistical analysis tool to find cheaters, f4tality and his ilk probably would have ended up banned.

This. I know what I'm talking about. I was One Of Those Guys in late 90s. Top 100 consistently on CLQ. I played HL1 DM and Q2. No one could beat me except for (sometimes!) a few guys just like me and we all knew each other. What happened? Lost interest. Stopped playing 4-5 hours a day. And I got old and lost the reflexes and hand/eye needed for this.

Yep finding cheaters is really hard.

Anyhow, anyone who's up in arms about this does not understand what Valve is. They aren't a large corporation replete with MBA suits and lawyers and many layers of management. They haven't got any management. Gabe is the sole owner but he doesn't go around telling everyone what to do, or make unilateral decisions. The entire company are just a bunch of techie gamer nerds working in a flat team structure. Here. Read their employee handbook:

Doesn't this mean that any application installed on my PC might already be tracking my DNS cache? I think the bigger problem here is that why Windows applications are allowed to access this kind of information in the first place.